CESNET bears responsibility for the content of this document. The work has been carried out by a CESNET led workinggroup onIPv6aspart of a joint-venture project within the HE sector in the Czech Republic.

Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and copyrightpreserved.

The research leading to these results has received funding from the European Community's Seventh FrameworkProgramme (FP7/2007-2013) under grant agreement n° 238875, relating to the project 'Multi-Gigabit European Researchand Education Network and Associated Services (GN3)'.

3

Table of Contents

Executive Summary

4

1

Setting Addresses on Interfaces

5

2

IPv6 Management

7

3

Client Configuration

8

4

DHCPv6

9

5

Neighbour Cache

10

6

Unicast Routing

11

7

Routing Protocol-OSPFv3

12

8

Playing with Multicast

13

9

Filtering–IPv6 Access Lists

15

10

Conclusion

16

4

Executive Summary

New firmware for HP ProCurve switches was released on15th

November 2010.With this step, themanufacturerremoved

a significant shortcoming of the ProCurve switches–

nofullsupport for theIPv6protocol. Partial IPv6 supportwas

alreadyintroduced in earlier versions,but only fordevice management andfiltering (ACL). VersionK.15 bringsIPv6 routing support in hardwarewith all features,includingsupport of theOSPFv3 routing protocol. This firmware was released fortheL3 switches series 54xx, 81xx–i.e.,all switcheswith the “K” letter in their firmwarename. The release number of the new version is 15 (K.15).Thecurrentdocumentpresentsa detailed look at theimplementation ofIPv6 support.Givingexamples,it will be shownthatIPv6 configuration is not very complicated. Sincefor many peoplepracticaluse ofIPv6is stillunknown territory,some differences from IPv4 will be described in more detail below. Management and syntax of IPv6 commandscopytheCisco

philosophy to a large degree. Yet,there are some small differences. The procedures belowdefinitely do not represent all IPv6 possibilities in the K.15 firmware or IPv6 configuration possibilities, but aremerely a manual toput IPv6 into production on these switches

easily and quickly.

5

1

SettingAddresses onInterfaces

The first thing that must be done isto set

an IPv6 address. The common IPv4 set-up was one address and arelevant subnet maskfor each interface. The situation is slightly different forIPv6.First of all, each interfacemust be equipped with aLink-local address. This address hasonlylocalsignificance

and must be setautomatically on each IPv6 interface immediately after the device is turned on.From the administrator’s point ofview, thisprocess is fully automated. Asfar as

configurationis concerned,itdoesthereforenot requireanyspecial attention. The other generally usedaddresses are

Global IPv6 addresses. Thistype of address

resemblesmore or lesstheaddresses that we know from the IPv4 world.Most likely, thechange of addresslength (to 128 bit) willnot surprise anyone, but setting theprefix lengthformostcasesto 64 bits is a new thing.InIPv4 terminology we usedto refer to a subnet maskandthe mask length. With IPv6, weare talking aboutprefixandprefix length.

As mentioned above, theLink-Local address is set up automatically. Theglobal address configuration isdone

using aninterface. Here, we have two options. Either the whole address,i.e,. both the network andthehostpart (host ID),can be set statically, or you can set the network part only and have the host partset by an EUI64algorithm,based on the device’sMAC address.

hp-test#configure

hp-test(config)#vlan 224

hp-test(vlan-224)#ipv6 address 2001:718:802:224::1/64

hp-test(vlan-224)#exit

hp-test(config)#vlan 225

hp-test(vlan-224)#ipv6 address 2001:718:802:225::0/64 eui-64

Just to be sure we can check the configuration

hp-test(vlan-225)#show ipv6

Internet (IPv6) Service

IPv6 Routing : Enabled

ND DAD : Enabled

DAD Attempts : 3

VLAN Name : DEFAULT_VLAN

IPv6 Status : Disabled

6

VLAN Name : VLAN224

IPv6 Status : Enabled

Address | Address

Origin | IPv6 Address/Prefix Length Status

----------+-------------------------------------------

-----------

manual | 2001:718:802:224::1/64 tentative

autoconfig | fe80::21d:b3ff:fe01:a700/64 tentative

VLAN Name : VLAN225

IPv6 Status : Enabled

Address |Address

Origin | IPv6 Address/Prefix Length Status

----------+-------------------------------------------

-----------

manual | 2001:718:802:225:21d:b3ff:fe01:a700/64 tentative

autoconfig | fe80::21d:b3ff:fe01:a700/64 tentative

As shown in the listing, there arethree

different IPv6 addresses set on twoIPinterfaces (which are representedbyVLAN). The first oneis

the address we set on the2001:718:802:224network. The firstavailableaddressinthe relevant network is used (withthenumber 1 in the hostID). The other address

wascreated by the EUI64algorithm. In this case, the network address is2001:718:802:225andthehostIDis21d:b3ff:fe01:a700. Thethird address shown in the listing (fe80::21d:b3ff:fe01:a700) is aLink-Localaddress. Note that theLink-Local

address has the same value on all interfaces. When working with this address, we must therefore addtothisaddress after the % symbolthe interface to which the relevantLink-Localaddress belongs (e.g.,fe80::21d:b3ff:fe01:a700%VLAN224).

7

2

IPv6 Management

Using IPv6 forswitch managementwill probably remain rather marginalfor some time. The main reason for thisis the effort to focus on providing native IPv6 (or dual stack) connectivity for servers and client systems.IPv6

support for management wasincluded

in the K.14 firmwarerelease, but customersprobably never used thisfeatureon a large scale.

If you decide to keep using IPv4 for management, you must not forget that each configured IPv6 addressautomatically becomes an address that can be used to manage theswitch. You can limitaccessbydefiningthemgmt-vlan option. But you cannot always afford to use this method. When configuring the first IPv6 address ontheswitchyou should always set up limitations foraccess tocomponent management. Use the followingcommand to limit management to selected networks:

servers. The current versiondoes not permit entering IPv6 addresses.Thus, if you use 802.1X user authentication or authenticate themanagement access

to the switchthrough aRADIUS

server, you will need to keep at least one IPv4 address on the component for management purposes.

8

3

ClientConfiguration

In the previoussections, we carried out the firststepthat is requiredto run IPv6 on theinterface. Now, we willfind out how to set

up an IPv6 address onthe endpoint systems. We will skip thepossibility

of configuring a

static address(which can of course be done) and focus on tools that will makethe

job easier for us.

The IPv6 protocol introduces newmechanismsto configure addresses for endpoint systems. Therouteradvertisement(RA) protocol, a part ofNeighbour Discovery(RFC 4861)is oneof these. Each router will sendinformation about network addresses that are configured on the router interfacesatregular intervals or uponrequest (Router Solicitation). These dataare used by an endpoint system or device to set its own IPv6 address.It is a completely different approach than we were accustomed to in the IPv4 environment, whereassigningIPv4 byDHCP was thecommon way toconfigurean IPv4 address.

If therouting functionality is enabled on theswitch, thenRouter Advertisementis generated automatically and itincludes all networks configured onthe interface. But in some cases you couldsuppress the spread of RA. Thiscan be done globally for the whole switch

hp-test(config)#ipv6 nd suppress-ra

or within the configuration of a given interface

hp-test(vlan-224)#ipv6 nd ra suppress

In practice we

will probablyuse these commandsveryrarely.But theMANAGEDandOTHERcommands arevastly more important to configureRA. TheMANAGED

flag says that the device’sIPv6 address and otherparameters may be discovered in the given network through DHCPv6. TheOTHERflag tellstheclient that itcan use

DHCPv6only toobtain

other parameters such as DNS server addresses, DNS suffixes etc. Setting theMANAGEDflag automatically has a higher priority. If theMANAGEDflag is set,setting theOTHER

flag ismeaningless. By default, both flags are turned off. They can be turned on with the following commands.

hp-test(vlan-224)#ipv6 nd ra managed-config-flag

hp-test(vlan-224)#ipv6 nd ra other-config-flag

Most likely, in practice theseoptions, especially theMANAGEDflag, willbe used very often.

9

4

DHCPv6

Itwasalready mentioned thatin the IPv6 worldDHCP support is not a necessary prerequisite to automaticallyconfigure a device, in contrast to

care of transferring datathat arerequired to create the basic networkconnectivity. But in RA messages there is no wayto provide

other necessary data, such as DNS serveraddresses orsearch domain suffixes. These data can be receivedeithervia DHCP over IPv4 (withdual-stacksupport) or over DHCPv6. Ifno

DHCPv6 server isconnected directlyto

the given network youwill have tousearemote DHCPv6 serverandset upDHCPv6relay on the switch.Theset-up forDHCPv6relay is very similartotheset-up of DHCPv4 relay. The configuration on the switch will be the same forstateful andforstatelessconfiguration.

Careful readerswill havenoticed that address assignment to endpoint systems is not managed centrallylikeweare used towith IPv4, wherethe DHCP server usually providesthis service. Inthecase of IPv6, the endpointsystem addresses are often randomly generated (RFC4941),not influenced by an external authority. In manycases,in practical operationthe relation between the communicating IPv6 address and the link-layer address(MAC address) will need to be known. With IPv4, this information was stored in an ARP table. With IPv6,the

corresponding structure is calledneighbour cache. The meaning and use are in principle the same aswith an

ARP table. You can list its contents with the following command:

hp-test#show ipv6 neighbours

IPv6 ND Cache Entries

IPv6 Address MAC Address State Type Port

---------------------------------------

-------------

-----

-------

----

...

2001:718:802:3:223:32ff:fe31:50d4 002332-3150d4 STALE dynamic 2

2001:718:802:3:81f3:b2e7:f738:3bd8 000423-c915c4 STALE dynamic 2

2001:718:802:3:915a:50d3:f16e:919a 000423-c915c4 STALE dynamic 2

fe80::214:22ff:fe7b:8673%vlan223 001422-7b8673 STALE dynamic 23

2001:718:802:80::1 001ec1-daab81 STALE dynamic 4

fe80::21e:c1ff:feda:ab81%vlan224 001ec1-daab81 STALE dynamic 4

...

As you see,neighbour cachecontains records for all types of addresses, i.e.Link-localand global addresses.For the time being, browsingcached records is not very convenient:onlyVLANID is supported as afilteringoption. Therefore, we must use some external tool for more advanced filtering or sorting. The neighbour cacherecords are also available through the MIB tree–

as defined in

RFC 4293

in theipNetToPhysicalTable.

11

6

Unicast Routing

Having overcomeall the hurdles of end network configuration, you can start the routing configuration. Routingsupport is activated with a single command:

hp-test(config)# ipv6 unicast-routing

It is obvious from the command that only unicast routing is activatedthis way. You would search in vain for acommand to activatemulticast routing. We must hope thatsupport for multicast routing on the network layerincluding the related protocols (PIM-SM, PIM-DM) willbe included

in some future version.

Thestatic routingconfiguration is also simple. In principle, record entry to the routing table is not different fromthe entrythat iscommonplace in the IPv4 world. The following commandprobably doesnot need furthercomments.

The situation is slightly different for the configuration of the routing protocol. The components support theOSPF

protocol, specifically itsequivalentin the IPv6 world,i.e.,

OSPFv3

(RFC 2740, 5340).Thewayin whichtheprotocol worksislargelysimilar toOSPF. The key change isthe factthat communication between routers andthe exchange of routing informationare performed onlyover theLink-Localaddresses. In practice, this meansthat global IPv6 addresses do not need to be configured on networksthat interconnectOSPFv3 routers. TheOSPFv3interfaceconfiguration issimplifiedto allowing IPv6 on the given interface and assigningOSPFv3area.Theabsenceofaglobal IPv6 address on the interfacecauses some complications.Some diagnostic toolsusingthe

ICMPv6

protocol,liketraceroute6andping6,cannotproduce

the proper information, because routersare not reachable by a global IPv6 address.This problem can besolvedby setting up an IPv6 address on

interconnecting networks. In that case, it is not important if the network is identical between routers.Only anarbitrary global address available from the rest of the network is necessary. Another option, very elegant inour

opinion, is configuring a singleglobal IPv6 address on the loopback interface of the L3 switch.

Some other parameters mustalsobeset for OSPFv3.Most likely theneed to configure an area will notsurpriseanyone. This is set in the same way aswithOSPF

–through a 32-bitsidentifierwritten in the form of four singlebyte numbers separated with dots. The value0.0.0.0is used to mark thebackbone areajust like inOSPF.

WithOSPFv3,you will certainly need to manually set the router ID parameter more often. It is a unique routeridentifier whose value is normally derived from the highest configured IPv4 addresson the router. You did nothave to deal with its configuration much in the IPv4 world, because the address was derived automatically. Butif you want tohave

onlyIPv6routingset upon a router, you need to set this parameter manually. The setting isdone with a single command forthe

OSPFandtheOSPFv3routingprocess.

hp-test(config)#ip router-id 147.229.240.123

13

8

Playing withMulticast

Multicast supportconsists oftwo parts:

link-layer support (multicastdistributionoptimisation) and support on thenetwork layer (multicast routing). The first part includes mechanisms supporting effectivedistributionofmulticast data. This mechanism was known as IGMP SNOOPING in the IPv4 world. The IGMP protocol isreplaced with theMLDprotocol(RFC2710-Multicast Listener Discovery (MLD) for IPv6).The operation of thisprotocol is in principle identicaltomechanisms known fromIGMPv2andIGMPv3(RFC 2236, RFC 3376).TheMLD protocol is automatically activated at the switch layer. When configuring, we will typically need to activateMLD on the IPv6 layer, i.e. VLAN:

hp-test(vlan-224)#ipv6 mld

Subsequently we can look at the connection status in individual groups with the following command:

hp-test(config)#show ipv6 mld vlan 224

MLD Service Protocol Info

VLAN ID : 310

VLAN Name : list

Querier Address : ::

Querier Up Time : 0h:0m:0s

Querier Expiry Time : 0h:0m:0s

Ports with multicast routers :

Active Group Addresses Type ExpiryTime Ports

----------------------------------------

----

----------

--------------------

ff02::c FILT 0h:4m:20s 1

ff02::1:3 FILT 0h:4m:20s 1

ff02::1:ff57:e0b2 FILT 0h:4m:20s 1

ff02::1:ffb5:2df1 FILT 0h:4m:20s 1

ff02::1:ffda:768d FILT 0h:4m:20s 1

ActivatingMLD snooping supportis recommended as an automatic option for all VLANs.

14

Theconfigurationmentioned abovewill provide an effective distribution of multicast operation within the localnetwork. A logical subsequent step would beto activate

the support of IPv6 multicast routing andanappropriate multicast routing protocol. But presently we would search in vain for such support. Multicast supporton the network layer is planned for some future version.

15

9

Filtering

–IPv6AccessLists

If you start operating an IPv6network, you will surely want to secure itin a suitable way. For this purpose, youcan useanaccess-list-based packet filter on HP switches.Supportfor creating IPv6 access lists wasincluded

in the K.14 firmwarerelease. The new version bringsfiltering

support at the VLAN layer and routing support.The managementis identical to creating access lists in the IPv4 environment.

First we must create a relevant access list in which we describe the filtering rules themselves:

blocks all SMTP traffic with the exception oftheaddress2001:718:802:4::93e5:394which is the SMTP server.The accesslist created in this way must then beconnected either to an interface (port):

hp-test(config-ipv6-acl)# interface a1

hp-test(eth-A1)# ipv6 access-group acl_1 in

or VLAN:

hp-test(vlan-223)# ipv6 access-group acl_1 in

hp-test(vlan-223)# ipv6 access-group acl_1 out

16

10

Conclusion

IPv6 supportfor componentsin the ProCurve series

was released a bit later than with other manufacturers.You will need to wait a bit longer forsupportthat provides all features,including multicast operation and variousprotection mechanisms. Despite small shortcomings,the implementation can be considered functional and itcan be put into production on ordinary networks.The big advantage is thatIPv6

support is releasedinthestandard software release, which is available from on the ProCurve webpage, sothatyou do not have to payanythingextrato enable IPv6 features.

More Best Practice Documents are available at www.terena.org/campus-bp/campus-bp-announcements@terena.org